Advanced Attackers

Like criminal actors, state-sponsored actors or APTs often initiate their illicit access campaigns with spear phishing. However, advanced actors have more time and resources on their hands, and can fashion something of value even from apparently useless data. Large caches of innocuous information, such as email addresses, can be used to look for access elsewhere, since we use email addresses as usernames for other accounts. The main difference in this case between cybercriminals and state-sponsored actors is the sophistication of the intelligence analysis programs behind the actual attacks. Collecting as much information as possible allows traditional intelligence organizations to understand their targets with granularity, supporting physical espionage operations as well as digital exploits.

For example, the 2015 Office of Personnel Management breach provided detailed personal histories, including psychological profiles and biometric information such as fingerprints. The intelligence value of these records is enormous, because the combination of the depth and the breadth of the dataset allows adversaries to make connections and draw conclusions about what steps to take next. For instance, between the OPM and the Equifax datasets, an adversary could get a very clear picture not only of whom to target but how–whether to use blackmail, financial incentives, ideological incentives, or other techniques.

Mitigation

So, how do you reduce the risk that access attacks pose? We’d love to say “just MFA it” and drop the mic, but we realize that multi-factor authentication can be hard to implement and not always feasible in the time frames we’d like. As much as passwords are flimsy protection, we found in 2018’s report that 75% of organizations still used simple username/password credentials for critical web applications, so we can’t just pretend that they don’t exist anymore.

To start, make sure your system can at least detect brute force attacks. Setting up alarms is a good start, but it’s better to slow down the session by throttling or CAPTCHA, or even denylist the IP. However, one of the things that makes access such a tricky tier to work on is that confidentiality and integrity can sometimes find themselves at odds with availability. Locking the account in perpetuity is good for protecting unauthorized access, but also results in denial of service for the user. If you’re going to lock someone out, make sure you can fail gracefully, and look out for the bane of the false positive. Set up reset mechanisms that work for both you and your users and get the legitimate traffic back online as quickly as possible.

In other words, it’s not enough to set up some firewall alarms on brute force attempts and take a nap. You have to test these monitoring and response controls, run incident response scenario tests, and develop incident response playbooks so that you can react quickly and reliably.

The NIST Digital Authentication Guidelines offer principles that represent a good baseline and get away from some well-intentioned but obsolete ideas about access control:

• Make your password policies user friendly
• Check passwords against a dictionary of default, stolen, and well-known passwords, both when users choose a password, and on a recurring basis
• Password reset should never use hints
• Use long passwords
• Avoid arbitrary 30/45/60/90-day password rotations
• Lock or remove unnecessary credentials

At a more advanced level, authentication can turn into a continuous practice instead of a one-time check. We don’t want to make users re-enter a password every time they act on a system, such as accessing or changing data. Such a thing would be about as user-unfriendly as we can get. However, there are backend authentication tools, like cookies and session tokens, that can be used to reduce the attack surface, prevent escalation of privilege and network traversal, and effectively function as a sort of digital quarantine.

Some cloud providers have suspicious activity alert capability for their customer accounts. Specifically, Microsoft Azure has a mechanism to flag and block the use of known bad passwords in AD cloud deployments.

The same accidental denial of service issues we outlined above apply especially to email, so controlling risk around email attacks is tricky. Make sure you monitor load on your authentication infrastructure using threshold alarms.

As part of an assume breach approach, plan for an attacker to gain access to email, and gear your forensics accordingly. Assume that attackers will set up email forwarding and account delegation on a stolen mailbox, and the user may not even know it. Write up procedures on how to review this and make them part of the incident response plan.